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(54) System for digitally signing a document 

(57) The preferred embodiment of the invention 
comprises a computer system which employs a trusted 
display processor (260). which has a trusted processor 
(300) and trusted memory (305. 315, 335, 345) physi- 
cally and functionally distinct from the processor and 
memory of the computer system. The trusted display 
processor (260) is Immune to unauthorised modification 
or inspection of internal data It is physical to prevent 
forgery, tamper-resistant to prevent counterfeiting, and 



has crypto functions (340) to securely communicate at 
adistance. The trusted display processor (260) interacts 
with a userVsmartcard (1 22) in order to extract and dis- 
play a trusted image, or seal (1000), generate a digital 
signature of the bitmap of a document image and control 
the video memory (315) so that other processes ot the 
corrputer system cannot subvert the image during the 
signing process. The user interacts with the trusted dis- 
play processor via a trusted switch (135). 
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Description 

Technical Field 

[0001] The present invention relates to apparatus and methods tor digitally signing irnagedata. areiir. partcular 
documents, in a mamerwhk* provide 
are signing is in fact the document they are signing. 

Background Art 

rO002] Corwenttonal prior art mass market confuting platforms 

competing products such as the Apple Macintosh™, and a proliferation of known pafrn-top and laptop P^*™^ 
^GeSy-rnarketsforsuchmechinesta..^ 

A general requirement for a computing platform for domestic a consumer use isa 

Internet access features, and multimedia features for handlhg computer games. For the ^ c ?^SfS 
the Microsoft Windows'" 95 and 98 operating system products and Intel processors, sc-cated WmTel platforms, dom- 

rSwT C^toother hand, tor business use. there are a plethora of avalable proprietary computer pbllomiwluttoos 
available aimed at organizations ranging from small businesses to multi-national organlzattons. In many of Owseap- 
oSons a server^tform provides centralized data storage, and application limcttonattly for a P^ra% of cltent 
salens. For business use. other key criteria are reliability, remote access, networking '«^"j£^J^ 
For such platforms, the Microsoft Windows NT 4.0™ operating system « common, as weP as the UNIX and. more 

recently, the Linux operating systems. ; ■ ,_ 

10004] Windows-type operating systems allow a user to run separate applications in separate wndows, and provide 
« a soiled WIMP (windows, icons, menus and pointers) interlace, whereby a user typically interacts w^applicatcns 
using a keyboard to enter clata and a rrouse to select coV^ 

lo^^ithtt^ncrease in commercial activity transacted over the Internet, known as 'e<ommerce'. there has been 
m«*Merest*thepri^ 

so n « perceived to be important tor users to be able to enter into binding contracts over the Internet, without the need 
for the current standard hand-signed paper contract However, because of the potential for fraud andmanjpirta^of 
electronic data, in such proposals, fully automated transactions with distant unknown parties ona w^dwpread scate 
as required for a fully transparent and efficient market place have so far been held back. ^j^T^.f!Ifw^ 
of trust between users and their computer platforms, and between interacting computer platforms, for the mating of 

* ror^^e^ave been several prior art schemes which are aimed at increasing the security and tnjstwwlhiness 
of computer platforms. Predominantly, these rely upon add** in security features at * e afP 1 ^^^.^ 
L^rr^featureearenotWterentlyembeddedh 

mental hardware components of the computing platform. Portable W uterdev«es have 
market which include asmartcard. which contains data specific to a user, which is input into a smartcard reader on the 
c3uW pVeS, such smartcards are at the level of being ado^n extras to conventional personal computers, and 
^ca7e?Se integrated into a casing of a known computer. Although these prior art schemes go «omej^yto 
^Proving the security of computer platforms, the levels of security and trustworthiness gained by pr« art schemes 
ZTcWidered^sutfSsnV to enable widespread application of automated transactions between computer plat- 
forms. Before businesses expose significant value transactions to electronic commerce on a wriespreed scale, they 
wBI require greater confidence in the trustworthiness of the underlying tecrmotogy. 

nSZ le applicants cc-pending patent applications Trusted Computing Platform" 99301100.6. ffled at the Eu- 
ropean Patent Office on i 5 February 1 999 and "Computing Aopanrtus and Me^ 

9905056 9 filed at the UK Patent Office on 5 March 1999. the entire contents of which are incorporated herem i by 
reference there is disclosed a concept of a trusted computing platform' comprising a computing P"*|™ ™"| 
a trusted component 1 in the form of a built-in hardware component. Two computing entities each prowsK^wfrsuch 
a trusted component may interact with each other with a high degree of trust-. That is to say. where the first and second 
computing entities interact with each other the security of the Weracfcn is enhanced compared to the case where no 
trusted component is present, because: 

. A U8er of a computing entity has higher confidence in the integrity and security of his own computer entity and in 
the integrity and security of the computer entity belongta to the other party: 
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. Each entity is confident that the other entity is in 1aQl the entity which it purports to be; 

. Where one or both of the entities represent a party to a transaction, e.g. a data transfer transaction, because of 
the in-built trusted component, third party entities interacting with the entity have a high degree ol confidence lhat 
s the entity does in fact represent such a party: 

. The trusted component increasesthe inherent security of the entity itself, through verification and monitoring proc- 
esses implemented by the trusted component: and 

10 . The computer entity is more likely to behave in the way it is expected to behave. 

rrjoosi As has been indicated above, the conventional method of signing a document is to physically write a signature 
on the medium (usually paper) upon which an image of a document is reproduced. This method hasthe adages 
that it is clear what is being signed, and the signed image is procrf of what was signed. However, does not meet the 

is needs of e-commerce. . M ^„^ M - rrt 

[0009] Nowadays rt is also possible todigitally sign a document, using a conventional computer platform and standard 
encryption techniques, in conventional computer platforms, however, the present inventors have appreciated that the 
electronic rendition of a document which is digitally signed is typically not the same rendition of the document that te 
visible to the user. It Is therefore possible for a user to unintentionally sign data that is different from that which he 

20 intended lo sign. Conversely, it is also possible for a user to intenlionally sign data and later fraudulently clatm i that the 
signed data does not correspond to that displayed to him by the computer platlorm. Such problems would etui be the 
present, even if a trusted platform, as desertoed above, were used. 

[00101 Conventional electronic methods of signing are well known to those skilled in the art. Essentially, digrtel data 
is compressed into a digest, for example by the use of a hash function. Then that digest is encrypted by the use of 

25 some encryption method that has been initialised by a secret key (or simply a 'secret-). This is normally done on a 
computer platform, such as a PC. One implementation is to sign data using a private encryption key held secret one 
user's smartcard, which is plugged into a smartcard reader attached to the computer platform. In the specific ease of 
a textual document, the digital date may be the file produced by a word processor application, such as Microsoft's 
Notepad. Wordpsd. or Word. As usual, the act of signing implies that the signer accepts some legal responsibility for 

jo the meaning of the data that was signed. ' ' . ^. \. . . . 

[0011] Hash functions are well-known in the prior art and comprise one way functions which are capable of generating 
a relatively small output data from a relatively large quantity of input data, where a small change in the input data results 
in a significant change in the output data. Thus, a data file to which is applied a hash function results in a first digest 
data (the output of the hash function). A small change e.g. a single bit of data in the ongmal data file will result m a 

as significantly diflerent output when the hash function is reapplied to the modified data file. Thusji data file comprising 
megabytes of data may be input into the hash function and resuB in a digital output of the order of 128 to 160 bits 
length as the resultant digest data. Having a relatively small amount of digest data generated from a data file stored 
in the reserved directory is an advantage, since it takes up less memory space and less processing power in the trusted 

40 rooIS ne During known signing processes, a user will typically interpret a document as it has been rendered on the 
computer's monitor at normal magnification and resolution. In existing applications, the user's smartcard signs data in 
a format that is the representation of the document by the application used to create and/or manipulate the document. 
The present inventors believe, however, thai there is potential for software to send data to the smartcard that has a 
different meaning from that understood by the user when viewing the screen. This possibility may be sufficient reason 

as to produce doubt into the validity of conventional methcxls of digitally signing electronic rerxesentationsol 
that are to be interpreted by people. 

Disclosure ol the Invention 

so [0013] The invention consists of system' and methods to improve confidence in digitally signed documents that are 
to be interpreted by people. They necessarily involve the reliable display of data, which can be used for other purposes. 
[0014] In accordance with a first aspect, the present invention provides a data processing system arranged to gen- 
erate a digital signature representative of a document, the data processing system comprising: 

« main memory means lor storing a document to be digitally signed; 

main processing means for executing at least one application process comprising means to generate graphics 
signals for displaying the document; 

means for generating a request signal for the document to be signed; 
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a display system comprising: 

LlstaSS digital *nage data representee ol the document on the basis of the graphics signals and 
ctnrrio the diaital imaae data in the frame buffer memory; and ... * 

S^eX3igital image data from the frame buffer memory, convert^ the data jnto senate suitable 
ZZ£E?J£* Ige thereof on a dispiay means and forward*, said sicnais to a dsptey 
alrusted component comprising independent processing means operable, m response to recent of the request 
signal, for generating a digital signature representative of the digital mage data. 

[0015} As such, the digital s^^^ 

SJ 2 ^ p ,S red embodiments, the trusted component comprises means for dsnywig to any !"**NdiM» 
Sor process write access to at least the portion of the frame buferrmmory coring the 
"a d^Tand means for generating a digital signature representative of the digrtai mr,age data wh.letne respect™ 

Dortion of the frame buffer memory is not accessible for writing data to. _ ^wi™, 

£oi™ in preferred embedments the data process** system further compnses a £^ te j£ 
Messing means tor receiving the digttal image data. « a represents ^ 

ge^g a respective digital signature. Conveniently, the removable token * an appropnateiy prc^rarnmed smart- 
en in preferred embodiments the trusted component comprises means tor acquiring and/or generating trusted 
Koala and means lor centreing the dispiay system to ^m^m^^^^^J^ 1 ^ 6 

data This provides visual feedback to a user that the trusted component ,sm control of the 
S £e trusted image data may comprise pbcmap data representative ol the trusted mage or mstructions for 

25 loST^eHed^ 
S'Tprtfer^^ 

^respond lo messages in a secure fashion The trusted input means may compnse a swrtch connected to the trusted 

Redisplay system may be arranged such that the trusted component is physically and functionally pos-t^between 
55 2 SS^eans and me Irame buffer memory, such mat the main processing means can only access the 
frame buffer memory indirectly through functions of the trusted component 

[o^^aspectsandemt^^ 
40 and drawings. 

Brief Description ol the Drawings 

[0027] Embodiments of the present invention will now be described in detail with relerence to the accompanying 
46 drawings, of which: 

Figure 1 is a diagram which illustrates a computer system sutefcte ^^ 

embodiment ol the present invention; ...... . ^^^-i 

Figure2isadiac*Jr. which illustrates a hardware architecture of a host computer su.table for operate «i accord- 

so ance with the preferred embodiment of the present invention; ., . . . jaro , in „ 

FigureSis adiagram which illustrates a hardware architecture* a trusted tf^^ 

in accordance with the preferred embodiment of the present invention; ^ e . llteW « i«r 

Scire 4 is a diagram which illustrates a hardware architecture of a smart card processng engine suHable for 
operating in accordance with the preferred embodiment of the present nventwn: 

^re 5 is a diagram which illustrates a functional architecture of a host computer inching a » W 
pressor and a smart card suitable tor operating in accordance with the preferred embedment of the present 

Figu^eTfea ftowdacjram which illustrates the steps invorved in generating an ind^ 
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Figure 7 is diagram which illustrates the sequence of messages between toe trusted display processor and the 
smart card in order to recover seal image data from the smart card; 

Figure 8 is diagram which illustrates the sequence of messages between the trusted display processor and the 
smart card in order to geneVate a signature of a document image; 
5 Figure 9 is diagram which illustrates the sequence of messages between the trusted display processor and the 
smart card in order to generate a signature of a summary of the document image signing process; 
Figure 10a is a diagram which illustrates an exemplary trusted image; 

Figures 10b to 10d are diagrams which illustrate the visual 6teps in signing a document image; and 
Figures 10e to lOg are diagrams which illustrate alternative ways of highlighting the image of a document to be 
10 signed. 

Best Mode For Carrying Out the Invention. & Industrial Applicability 

[0028] The preferred embodiment utilises a trusted component that most conveniently uses some of the character- 
15 istics of the trusted component' described in the applicants co-pending European patent application number 
99301100.6. In that application, the trusted component is a hardware device, comprising a processor programmed to 
measure an integrity metric of its host computer, compare it with a true value of the integrity metric and communicate 
the integrity (or otherwise) of the host computer to users or other host computers. The significant similarities between 
that trusted component and the trusted component in the preferred enribodimem he 

20 

that they both use cryptographic processes but preferably do not provide an external interface to those crypto- 
graphic processes; 

that they are both tamper-resistant or tamper-detecting, so that their operation cannot be subverted, at least without 
the knowledge of the legitimate user and 
26 that they both preferably consist of one physical hardwaro component that is both physically and functionally in- 

dependent of the host computer on which it resides. 

[0029] Such independence is achieved by the trusted component having its own processing capability and memory. 
[0030] Techniques relevant to tamper-resistance are well known to those skilled in the art of security, as described 

30 in the applicant's co-pending application. These techniques include methods for fabricating components to resist tam- 
pering, methods for detecting tampering, and methods for eliminating data when tampering is detected. It will be ap- 
preciated that, although tamper-proofing is a most desirable feature of the present invention, it does not enter into the 
normal operation of the invention and, as such, is beyond the scope of the present description. 
[0031] In this description, the term trusted 1 , when used in relation to a physical or logical component or an operation 

as or process, implies that the behaviour thereof is predictable under substantially any operating condition and highly 
resistant to interference or subversion by external agents, such as subversive application software, viruses or physical 
interference. 

[0032] The term 'host computer' as used herein refers to a data processing apparatus having at least one data 
processor, at least one form of data storage and some form of communications capability for Interacting with external 
40 entities, such as peripheral devices, users and/or other computers locally or via the Internet. The term "host computer 
system' in addition to the host computer itself includes standard external devices, such as a keyboard, mouse and 
VDU, that attach to the host computer. 

[0033] The term 'document', as used herein, includes any set of data that can be visualised using a host computer 
system. Commonly a document will be a textual document, such as a contract However, a document may comprise 
45 graphics, or pictures, instead of. or as well as, text. In general, a document may comprise a single page or multiple 
pages. 

[0034] The term 'pixmap\ as used herein, is used broadly to encompass data defining either monochrome or colour 
(or greyscale) images. Whereas the term 'bitmap' may be associated with a monochrome image only, for example 
where a single bit is set to one or zero depending on whether a pixel is 'on' or 'off. 'pixmap' is a more general term. 
so which encompasses both monochrome and colour images, where colour images may require up to 24 bits or more to 
define the hue, saturation and intensity of a single pixel. 

[0035] As will become apparent, the trusted component according to the preferred embodiment herein provides a 
secure user interface and, in particular, controls at least some of the display functionality of its host computer. The 
trusted component herein may or may not also acquire integrity metrics according to the trusted component in appli- 
es cant's co-pending patent application, although such acquisition of integrity metrics will not be considered herein. 

[0036] In essence, the preferred embodiment enables a user to digitally sign a document stored on a host computer 
using the private key of the user's smartcard. or other form of secure token such as a cryptographic co-processor. The 
signing is enacted by a trusted display processor (i.e. the trusted component) of the host computer under conditions 
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that provide the user with a high level ol confidence that the document be,ng vmwed on screen b n '*« J*™"* 

™3^r « secure channel and displayed by the trusted component during the signing procedure It » .n part the 
S^Zt^^^^ ^ to the user, which provides** user with the ^idenceth^^ 
display at ine iruswo ' ooeration In addition, in the prelerred embodiment, the host computer 

t rr^t colZ in a manner which cannot be subverted by other functions ol the host computer 
rwwT Trtfculartv the trusted display processor or a device with simiar properties is associated with video 
SL ^LT^S^^9 bTyond the point where data can be manipulated by standard host conputer 

SISS SeTlhis is used to unambiguously identify the image (pbcmap) that a user » s^ng. As pect 
cTthte * that »e trusted display processor may reiiably display any of its data "*ed,s^ surface, indudng. for 
example the integrity metrics of the prior patent application, or user status messag^prcrnp^ ttaaomDtita . 

mou s e arTt^^^ 

S SSSswSa^d the dlspky, when operating under trusted control, as will be overbed, ^bethought 

ss HMffl^Fiauro 2 shows a hardware architecture of the host computer of Figuio 1 . _ 
K StogTfigure 2. the host computer 100 comprises a central proofing unrt < CP ^' ^ ^ 

p^^hoTcornouter 100 The CPU in this case Is a Pentium™ processor. The CPU Is connected «aPCI 
215 ol the host compuier iw. ™ attached the other main components 

L Pe ^ era ,' ^T^ lTbuT^^^^ and da* portions, which wi. not be 

t^fiXS Sa de^^^^enoum processor* and PC. architecture^whef , I, jbeyc** 
STscoot 3 SS!SSiS£ln reader fe referred to the book. The Indispensable PC Hardware Handbook'. 
M SKr to ^SSSESS. published by Addison-Westey, ISBN 0-201-4039SM. Of course, the present em- 

10041, The<«her^ 
a^SreTn^^ 

1 r^n^mt^rca^Si other host computers (not shown), such as file servers, print servers or emaH servers, and 

45 ?<2£i y 'Subcomponents, n parttouhr the trusted disptay processor 260. are pre^erabtyaMgratBdc^o 
Shl^rdTs o3n*st computer 100. atthough, sometimes, LAN adapters 250 and SCSI adapters 230 can 

So^^FlouS !TJ«ws a preferred physical architecture for the trusted oTsptoy processor 260. ■? 

2 a^eTcoCneTSding the standi display functions of a display processor end the extra, nonstandard 
gTn— - proving a trusted user ^^?°X 

the functions could alternatively be physically split into two or more separate physical components. However «wh \oe 

ss a most elegant and convenient solution. 

[0044] According to Ffcure 3, the trusted display processor 260 comprises: 



a microcontroller 300; 
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non-volatile memory 305, for example flash memory, containing respective control program instructions (i.e. 
firmware) for controlling the operation of the microcontroller 300 (alternatively, the trusted display processor 260 
could be embodied in an ASIC, which would typicaly provide greater performance and cost efficiency in mass 
production, but would generally be more expensive to develop and less flexible): 

s an interface 310 for connecting the trusted display processor 260 to the PCI bus for receiving Image data (Le. 

graphics primitives) from the CPU 200 and also trusted image data from the smartcard 1 22, as will be descnbed; 
frame buffer memory 31 5. which comprises sufficient VRAM (video RAM) in which to store at least one full image 
frame (a typical frame buffer memory 31 5 is 1 -2 Mbytes in size, for screen resolutions of 1280x768 supporting up 
to 16.7 million colours); . ■ ... ^ 

io a video DAC (digital to analogue converter) 320 for converting pixmap data into analogue signals for driving the 
(analogue) VDU 1 05, which connects to the video bAC 320 via a video interface 325; ^ 
, an interface 330 for receiving signals directly from the trusted switch 135; 
volatile memory 335, for example DRAM (dynamic RAM) or more expensive SRAM (static RAM), for storing state 
information, particularly received cryptographic keys, and for providing a work area for the microcontroller 300; 

is a cryptographic processor 340, comprising hardware cryptographic accelerators andtor software, arranged to pro- 
vide the trusted display processor 260 with a cryptographic identity and to provide authenticity, integrity and con- 
fidentiality, guard against replay attacks, make digital signatures, and use digital certificates, as win be descrtoed 
in more detail below; and 

non-volatile memory 345, for example flash memory, tor storing an identifier l DP of the trusted display processor 
w 260 (lor example a simple text string name), a private key Sop of the trusted display processor 260. a certificate 
Certnp signed and provided by a trusted third party certification agency, such as VeriSign Inc., which binds the 
trusted display processor 260 with a signature public-private key pair and a confidentiality public-private key pair 
and includes the corresponding public keys of the trusted display processor 260. 

25 [0045] A certificate typically contahs such information, but not the public key of the CA. That public key is typically 
made available using a 'Public Key Infrastructure 1 (PKI). Operation of a PKI is well known to those skilled in the art of 

security. . 
[0046] The certificate Certop is used to supply the pubfic key of the trusted display processor 260 to third parties in 
such a way that third parties are confident of the source ol the public key and that the public key is a part of a valid 
jo public-private key pair. As such, it is unnecessary for a third party to have prior knowledge of. or to need to acquire, 
the public key of the trusted display processor 260. • 

[0047] The trusted display processor 260 lends its identityandtrusted processes to the host computer and the trusted 
display processor has those properties by virtue of its tamper-resistance, resistance to forgery, and resistance to coun- 
terfeiting. Only selected entities with appropriate authentication mechanisms are able to influence the processes run- 

& ning inside the trusted display processor 260. Neither an ordinary user of the host computer, nor any ordinary user or 
any ordinary entity connected via a network to the host computer may access or interfere with the processes running 
inside the trusted display processor 260. The trusted display processor 260 has the property of being "inviolate". 
[0048] Originally, the trusted display processor 260 is initialised with its identity, private key and certificate by secure 
communication with the trusted display processor 260 after It is installed onto the motherboard of the host computer 

jo too. The method of writing the certificate to the trusted display processor 260 is analogous to the method used to 
initialise smartcards by writing private keys thereto. The secure communications is supported by a 'master key 4 , known 
only to the trusted third party (and to the manufacturer of the host computer 100), that is written to the trusted display 
processor 260 during manufacture, and used to enable the writing of data to the trusted display processor 260. Thus, 
writing of data to the trusted display processor 260 without lurowledge of me master key is not possible. 
[0049] It will be apparent from Figure 3 that the frame buffer memory 315 is only accessible by the trusted display 
processor 260 itself, and not by the CPU 200. This is an important feature of the preferred embodiment, since it is 
imperative that the CPU 200. or, more importantly, subversive application programs or viruses, cannot modify the 
pixmap during a trusled operation. Of course, it would be feasible to provide the same level of security even if the CPU 
200 could directly access the frame buffer memory 315, as long as the trusted display processor 260 were arranged 

so to have ultimate control over when the CPU 200 could access the frame buffer memory 315. Obviously, this latter 
scheme would be more difficult to implement 

[0050] A typical process by which graphics primitives are generated by a host computer 100 will now be described 
by way of background Initially, an application program, which wishes to display a particular image, makes an appro- 
priate call, via a graphical API (application programming interface), to the operating system An API typically provides 
ss a standard interlace for an application program to access specific underlying display functions, such as provided by 
Windows NT™, for the purposes of displaying an image. The API call causes the operating system to make respective 
graphics driver library routine calls, which result h the generation of graphics primitives specific toa display processor, 
which in this case is the trusted display processor 260. These graphics primitives are finally passed by the CPU, 200 
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storing the pixmap data into the Irame b «^ m ^ o 3 ^ ^ from , he frame butler memory 315. con- 
to display »he required image on the screen. 

other parts typical* being dtaplay ^^^^ aid me VDU 105. In omer words, the ttspfcy 

wh*h access the standard ^^^X^^^^'^ 110081 ^ " W * * """^ ^ t * SP ^ 9 
system' of a host compute! 100 comprises every piece w . 

an image. . .^K~<im«nt r«lies on interaction between the trusted display processor 

[0054] As already mentioned, the preset errixxJirr^^ onjrnera^ ^ accQ(dancei w(tn ^ 

M the user's smartcard 122. The P^^^^Tcc^risea a processor 400 .or enact*, standard 
pmlenedembodimentisiliuet,^^ o{ 6gnatures receivod from 

encryption and decryption tunct^to V™*^^^ microccntroller. wMch has a buit-in opera tag 
eisewhere. In the present err^^ent^e pressor 400 protocols specified through ISO 

system and is arranged to commute w Ah ^^J^J^^^m^ memory 420, for example flash 
7816-3, 4. T=0. T=1 and T=14 standards. The smartcardalso c«J«« signing data, and a 

memory, containing an Wentfier Isc of the j^^^^SJ^ bS the srrirtcard with pubUc-pnvate 
ceSte C*W provided by B ^^Zs7^ZZ^Z same in nature to .he certificate Cat. 
key pairs and includes the corresponding pubic keys c^nesrrerrei » non-volatile memory 420. 

^trusted d,s P lay processor ^J^^SS^^«^ indicate to the user that a process * 
which can be represented graphically ^ ^ e '^fJ'^S^^il below, in the present embodiment, the seal 
operating securer, with the user's smartca^as jJ^jJJ^Sly elected by the user as a unique idenUBer. tor 
data SEAL is in the form of an .mage ^^^^^^22 using welHcnown techniques. The processor 
example an image of the user ml. ""^^^Sig sSte information (such as received keys) 

S? CSS c^ne re^e, ^^2^^^ 
ESantage in circurnstances w*^™* 

relatively limited. The memory ^^^^^^Zcon^ess^ by the trusted dteplay processor 260: a 
image could comprise: a compressed irnage^wh^ ^er^MntmSate generated by the trusted display processor 
tnunVnail image that forms the pnmttive etemerrt * VJJJJJJJS^ which can be displayed by the trusted 
260; a naturally compressed Image, sw*asa ^^J^^*^ ^ a8 ab0 ve. In any of these attemath/es, 
display processor 260 as a smgle large ^•™^™°*™ lxi oTsp^wssor 260 to decrypt the data betore 
the seal data itself may be in encrypted form and «^ "V J ^ ^^,95 one of a number of possWe 
IcanbedisplayedA,^^ 

images stored by the host computer lOOar ' ^^^^^.nddM*^^^ Further ' 

P^S^^ hostcomputer too, the trusted d^ 

[00S6J Figure 5 shows the fogeal relat.onsh^be^enme iur« operation. Apart from logical sepa- 

p^eseor ko and the smartcard 1 22. in the context „. .unctions are represented 

ration into host computer ^- ^^^J^^ ^n^eser^ of the processes which take part 
independently of the physical arehtterture ^^M^SSoSt are partitioned from the trusted functions by 
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sented in ovals, and the •permanent' data (including the document image for the duration of the signing process), oh 
which the functions act, are shown in boxes. Dynamic data, such as state data or received cryptographic keys are not 
illustrated, purely for reasons of clarity. Arrows between ovate and between ovate and boxes represent respective 
logical communications paths. 

s [0057] In accordance with Figure 5, the host computer 100 includes: an application process 500. for example a 
wordprocessor process, which requests the signing of a document document data 505; an operating system process 
510; an API 511 process for receiving display calls from the application process 500; a keyboard process 513 for 
providing input from the keyboard 110 to the application process 500; a mouse process 514 for providing input from 
the mouse 1 1 5 to the application process 500; and a graphics primrtrves r^roce«s 515 fc< operating graph 

70 on the basis of calls received from the application processviathe API 511 process. The API process 511 , the keyboard 
process 51 3, the mouse process 51 4 and the graphics primitives process 515 are build on top of the operating system 
process 510 and communicate with the application process via the operating system process 510. 
[0058] The remaining functions of the host computer 1 00 are those provided by the trusted display processor 260. 
These functions are. a control process 520 for co-ordinating all the operations of the trusted display processor 260, 

is and for receiving graphics primfflves fiom Ito graphics 

process 500; a summary process 522 for generating a signed summary representative of a document signing procedure 
in response to a request from the control process 520; a signature request process 523 for acquiring 8 digital signature 
of the pixmap from the smartcard 122; a seal process 524 for retrieving seal data 540 from the smartcard 122; a 
smartcard process 525 for interacting with the smartcard 122 in order to enact challenge/response and data signing 

zo lasks required by the summary process 522, the signature request process 523 and Ihe seal process 524; a read 
pixmap process 526 tor reading stored pixmap data 531 and passing it to the signature request process 523 when 
requested to do so by the signature request process 523; a generate pixmap process 527 for generating the pbcmap 
data 531 on the basis of graphics primitives and seal image data received from the control process 520; a screen 
refresh process 528 for reading the pixmap data, converting it into analogue signals and transmitting the signals to the 

ss VDU 105; and a trusted switch process 529 for monitoring whether the trusted switch 135 has been activated by the 
user. The smartcard process 525 has access to the trusted display processor's identity data bp. private key Spp data 
and certificate Certop data 530. In practice, the smart card and the trusted display processor interact with one another 
via standard operating system calls. 

[0059] The smartcard 1 22 has: seal data 540; a display processor process 542 for interacting with the trusted display 
30 processor 260 to enact challenge/response and data signing tasks; smartcard identity data Iqc. smartcard private key 
data S$c and smartcard certificate data Certec 543. < 

[0060] A preferred process tor signing a document using the arrangement shown in Figures 1 to 5 wfll now be de- 
scribed with reference to the flow diagram in Figure 6. 
[0061] |nftia»y. in step 6m the user contra 

3S signing a document. The application process 500 may be realised as a dedicated software program or may be an 
addition, for example a macro, to a standard word processing package such as Microsoft's Word. In either case, neither 
the signature request nor the application process 500 ne^ to be secure. When toe user infflates the s 
he also specifies the document to be signed, if it is not one which is already filling the whole screen. For example, the 
document may be displayed across a part of the full screen area or in a particular window. Selection of a particular 

40 area on screen is a simple task, which may be achieved in several ways (using a WIMP environment), for example by 
drawing a user-defined box bounding the area or by simply specifying co-ordinates. 

[0062] Next, in step 602. the application process 500 calls the control process 520 to sign the image that Is being 
displayed (within a defined area or window) on the screen; the control process 520 receives the call. In parallel, although 
it is not shown, the control process 520 receives any graphics primitives from the graphics primitives process and 

-»5 torwards them onto the generate pixmap process 527. The can from the application process 500 to sign a document 
includes the co-ordinates (a.b,c t d) df the edges of the document. Note that this sencfing of coordinates genera ly 
enables the signing of the entire surface of the screen, a complete window, or of an arbitrary part of the screen. The 
application process 500 then wails for the control process 520 to return the signature of the image. 
[0063] In response to the signature request, in step 604. the control process 520 forces the image that is to be signed 

so to be 'static 1 from the time of the request until the process has been completed. Herein. 'static* means that the document 
image cannot be modified other than by the trusted display processor 260. This is so that the user can be certain that 
what he sees is what he is signing at all times during the process. In the present embodiment, the control process 520 
achieves a 'static' disptey by 'hokJing-off, or not processing, any further graphics primitves. In some situations, the 
graphics primitives process (or equivalent) may 'buffer 1 graphics primitives until the control process 520 is ready to 

&s receive further graphics primitives. In other situations, graphics primitives for the image to be signed may simply be 
lost. Where the document image fills the whole screen, making the image static is simply a case not processing any 
graphics primitives. However, where the image to be signed forms only a subset, for example a window, of the full 
screen, the control process 520 needs to determine whether received graphics primitives would affect the 'static' area. 
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pixmap P^.^^!l ument t0 be 8igned a8 win be described in more detail below with reference to Figure 
£ W5255 ESSE ^^.ready inserted I, the smartcard 122 reader 120 as *tern^edby 
to M <rt 525 the control process 520 instructs the generate pixmap P^J^^S 
mLl^ai ^ to insert his sma^ 1 22. This 

r^Sf H tSntdo^ trmer expires (i.e. reaches zero), as a result c4 not receiving the smartcard 122, the control 
^ISS^SSZ^ h step 614 and returns an exception 

r^se^appBcatton process 500 delays an appropriate user message m step 616. If the smartcard 122 is 

[S 7 According to Figure 7, the smartcard process 525 send, a request REQ1 to the smartcard 1 £ 
SSSo. ThVdisotay processor process 542 r^^^^e^ it wtth rSTS,^ 
smartcard process 525. The smartcard process 525 generates a nonce and concatenates "J™^^'"^ 

the sfcnature eS^R,^) and the o^^r^^^P^^^ 

260 from the certificate 

srtlZVtoSm^ SI* to be signed, as wiH be described beta* with reference to figure 1<^TherMn 
E S tnaSXrocess 520 instructs the generate pixmap process 527 to dispfeya n^e^^eras^ng 
tZZnm S» continue with the signing operation. This message is accompanied by a ten 
ETSStTm Tc^ntdown timer expires, in step 626. as a resul ot not ^^^fanS^^ 
££d process cancels the signing operation, in step 628. and returns an exceptor ' «^ST^«SoT 
500 In resoonse the application process 500 displays an appropriate user message m step 629. If. « stepe* vn 
m eS^e^by^ing the trusted switch 1 35 within the ten second time limit, the process continues. 

switchl35 or even using appropriate software routines, providrng a reasonable level of a ^^^ J^.™" 
r^Trn^y be imtSHSL mere presence of an authentic smartcard may be suffice* authonaahon for the 

LTdoS: ^c^e signature J^es, process 523 ca.-sthe <^™£^^&^^% 
^?23. MdMy. the read pixmap process 526 generates 'dispfcy format data' FD, when ndudB. rtormatron 
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is 



necessary to reconstruct the image from the pixmapdata into a text-based document at a later t me (FD is not essential, 
since the document text may not need to be reconstructed), and returns this alao to the s^uro revest proems 5^. 
For example, the display format data FD may include the number of pixels on the screen surface and ^"^^cn. 
such as '1024 by 768'. and the font type and size used for the text (if ttie document is text-based) m the i docuii»nt(at 
least some of thfe information may instead, or in addition, be ccfltainedinadc^urnert^rnrnar/.aswiBc^desa^ 
below) In steps 634 and 636. the signature request process 523 interacts with the display processor process 542of 
the smartcard 122 using well-known chaltenge/response processes to generate an individual signature of the docu- 
ment, as will now be described in detail with reference to the flow diagram "Figure 8. ~, lnnl>nara , 0 

100711 According to Figure 8. the smartcard process 526 generates a request REQ2 tor the smartcard 122 to generate 
a signature of the digest Dp, x and display lormat data FD. The display processor process 542 of the snartcard 122 
responds by generating a nonce F% and sending it to the smartcard process 525 with a ctellengetoretum t^^olgest 
Dp* and the display format data FD. The smartcard process 525 concatenates the digest Dprx with the dnptay format 
da£ FD and nonce and sips the concatenation Dp«IIFDIIR3 to produce a signature ^(^''^"^The 
smartcard process 525 then sends the concatenation D PIX IIFDIIR3 and its respective signature ^DprxllFDJF^to 
the display processor process 542 of the smartcard 122. The display processor process 542 uses the trusted dnptay 
processors public key (which it has already received in the seal data 540 exchange) to verify the trusted display 
processor's signature sSo-pprxUFDIIFy and nonce R,. to prove that the digest is the current image digest The display 
protests process ^sTot the pixmap D prx and the display format data FD. ustnjj , to private My; to 

produce two signatures aS^Dptx) and sSsc(FD) respectively. The display processor process 542 of the smartoard 
20 men returns the signed digest sS^D^) and signed display formal data sSgctFD) to the smartcard prccMji 525ol 
the trusted display processor 260. The smartcard process 525 next verifies the digest Dpa and display format data 
FD. using the smartcartfs public key (whteh 1 already has as a result of the seal data 540 exchange), and verifies the 

smartcartfs signature, to prove that the smartcard is stiD online. 

[0072] Returning to Figure 6. in step 638. the smartcard process 525 of the trusted display processor 260 concate- 
25 nates the pixmap PIX. the smartcartfs signed versions of the pixmap digest eSgdPnd and display format data sSgc 
(FD) to form an individual signature PIXIIsSscCDpKJHsSsctFD) of the image, and returns it. via the signature Request 
process 523. to the control process 520. which returns the individual signature to the application process 500. The 
application process 500 stores the individual signature, in slep 640. and responds with a further caU to the control 
process 520 to 'summarise the signing/ operation in step 642. The purpose of a summary is to complete the signature. 
X as win be described with reference to the flow diagram in Figure 9 and also the example summary below: 

1 TC-88503-00.01 

2 Access time: Thu 06-May-1999. 11: 18 
3$ 3 Pages : 2 

4 Imaged I 560 x 414 (187,190) [1024 x 768] 

5 BEGIN SIGNATURE- 



'S 



6 



+Gr4ran0LqS/twYuPdskyL4uk3no0w3W2+f+/vzC4cI«PeY/U^a2ZScvhK3CJ+apQxyllc3 



40 C Y5rTC5€3klovOPTBI/Iyq2PxRnic- 

? END SIGNATURE 

8 Image02 I 670 x 379 <201,228) [1024 x 768] 

9 BEGIN SIGNATURE- 



10 



hujmqkCJO+Dz6+x8kE24Z8YFXLPOI- 

11 END SIGNATURE 

12 Summary signature: 

ktaTdTqY/gPhlGajrSJGqRms+we/c- 
15 END SIGNATURE 

ss 

rO0731 In step 644. the control process 520 calls the summary process 522 to generate a summary message SUM 
containing the number of images (two in the example summary above) plus the individual signatures of the .mages 

(lines 6 and 10 ol the example), a label identifying the trusted display device (line 1 in the example), the currerUtime 
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,he summary also includes the size ol ^.■^^^^h J* Si 024x768 for image U 
screen in pixels (e.g. 187.190 for (mage 1) and the ^^^XZ^^^^b^c^^^^ 
[00741 The summary process 522 then ^™ a ,^f^ 
process525o.thetrusteddisplaypr^ 

to generate a signature of the summary digest D**,, » ^^ ar ^ iso8te ^ ini a^i22lopwi-i 
[0075] According to Figure 9, the smarted ^^^^^^^ the smartcard generates a nonce 
a signature of the digesl of the summary Ok* The display P^J^ r pwe T sniarteard process 525 concatenates 
^ fnd sends it in a chaLenge tOTetum f^^^,^ p^uTa^ sS^ WR,). The 
the digest D SUM with nonce andsigns con«t^ P ^ ^ m and respective 

smartcard process 525 of the trusted display P^ e ^ r *° disX processor pieced then verifies the 
signature sS^O^.IR,) to the f^S^^^^^^^^ public key (which « already 
trusted display processor's signature and no "^ f^' * ^ current summary. Next, the display processor 

has from the seal data 540 exchange), to prove that ^ * ™ and ^ nested digest sS^Dsum) to 

process 542 signs the digest of the summary ^^J^^^^processor^vertfies the digest and 
The smartcard process 525. The smartcard P*««* * pro X the smartcard Is still online, 

verifies the smartcard", ^signature. ^^^X^'SsZums the summary SUM concatenated «t> 
[0076] Retumlngto^uree. .n step652. the ^^^ lenation sui^ttW). via the summary process 

process 500. The application process 500 receives ^''^^ t ^ jon process 500. or any other process 

of graphic primitives associated with the f°™**^££$ SorL may not b. handed back to the appli- . 
the application process 500 or Cher applet™ s ^ ^ lly in r e SponBe to another user message, 

cation process 500 until the user •^•^TSSS* KK.5er more tirTlo review me static document 
which this time, would not have a timeout period. This wouio grve . 

before returning t. host ^'^^Zm^Zre P. X . te S sc (D PIX ).lsS sc (FD) and. the sum- 
[0079] In order to verify a signed *e«mrt. ^;2TJ™7h«ls are weW known to those skiled in the art ol security, 
mary SUMIIsSsclDsuMimustbeverified. ^^^^^^Zg *, e public key of the user, which 

verified, aher signatures, indudingthe t? signed document is to translate the 

[0080] A preferred method of enablng a Person toj '"?^^^ displa , ^processor 260. to toad the pixmap 
pixmap back intoan image. This requires an aPP'^^°^^ a ™ Slows a person to view the document 
dataRXintotheframebufferrr^^ *~ 
that the signer has signed. i« ho sinned will now be described with reference to Figures 1 0ato 10tt 

[0081] Thestage*o.h-.gh.i^ 

[0082] In the preferred embedment, the seal da ^^^'.^ * ^rjQO. Figure 10b illustrates an image 
shown in Figure 10a. the pixmapof the f^^^^lC^reen (not shown). As a first highlighting 
10 05 of an exempt document ^ to besig^rn ™ ™ Received, the trusted display processor 

step, after the image has been made state but MmjM«« l020aroundt he document Image 1005. as illus- 
260 highlights the document to be signed W^^lTa vn . «■« ^ user to inS o rt his 

traled in Figure 10c. Also, where a smartcard ^.^^^035. afateo Wustrated in Figure 10c. Next, 
smartcard is dispteyed accompanied ^J^^^J^L , rus ted d« pl ay processor 260 embe^es 
when the smiley face pixmap «nage is retneved *™ ™ m y^ face, as shown in Figure lOd. In addition, as 

the frame 1040 with multiple ^^J°^^^^^ u ^ a^a^e 1050. a«*npanied by a 
shown in Figure 10d. the ■^ d ^£S52£2^ , 0 proceed with the signing process. This em- 
ten second countdown timer 1 055. askrng the imagearea is being acted on and provides the 

bellished frame 1040 both indicates to the user tttf t the SJEh*. in control of the signing process; the 
user with a high level of confidence that the trusted d ^^^JZ m^age has cJe from the trusts 
presence of the use* own seal image ^^^V° s ^J^ a ^^ or hardware device. 
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Figure I0e four single seal images 1060 are positioned at the comers of the static document image using the co- 
ordinates provided by the application process 500, to define the static image area. In Figure 101, the static image is 
defined by modifying the background thereof to show a single seal image. In Figure 10g. the static image is defined 
by modifying the background thereof to show a mosaic of seal images. It is expected that the skilled reader will be able 
s to think of other visual effects by which the static image may be highlighted in the light of the present descnptton. In 
addition, it may be desirable to include further status messages during the signing operation, for example ■Retrieving 
seal data 540 now.../, "Generating document signature now..,.', etc. 

[0084] It will be appreciated that the trusted display processor 260 needs lo be able to display the seal imagefs) and 
the messages in the correct places on screen. Clearly, the seal image and the message images are temporary, to the 
10 extent they appear during the signature process and disappear thereafter. There are well-known, standard display 
techniques for overlaying a first image with a second image, thereby obscuring a part of the first image, then removing 
the second image and restoring the portion of the first image that had been obscured Such technique* are used as a 
matter of course in normal windows environments, for example, where multiple windows may overlap one another. 
The trusted display processor 260 is arranged to implement one of more of these standard techniques for the purposes 
'5 of superimposing the seal imagers) and the message images over the starxJard cfisplay. 

[0085] In some scenarios, it may be that a document is too large to tit all at once onto the VDU 105 screen and still 
be easily read by a person. Obviously, for the present embodiment to be practical, it is essential that a user can very 
clearly read the document before signing It. Therefore, the document can be split into multiple screen pages, each of 
which needs to be signed and cryptographicalry chained to the signature of the previous page, as will now be described. 
[0086] First, the application process 500 causes the image ol the first page to be displayed and makes a can to the 
trusted display processor 260 for signing as before. When the trusted display processor 260 returns the individual 
signature, instead of requestbg a summary, the application process 500 instructs the trusted display processor 260 
to display the image of the second page and sign the image. Clearly, in this case, the trusted display processor 260 e 
arranged to support such a request by the application process 500. Only after all images have been signed and returned 
ss to the application process 500 does the application process 500 issue a request for a summary. Then, the summary 
includes the number of images that were signed in this multi-page document, for example as illustrated m the two- 
page summary above. . ' " 
[0087] The first page in the multi-page document is signed in the same way as a single page, resulting in return of 
an individual signature. When subsequent images are presented for signing, however, the trusted display processor 
30 260 recognises that they are part of a multi-page document because no summary request was received after the 
previous signature request As a result, the trusted display processor 260 displays a different message, which requests 
permission from the user to sign a continuation page. In response, the user who is signing a multi-page document uses 
the same reliable permission channel as before (for example, the trusted switch 135) to confirm to the trusted display 
processor 260 that this page is associated with the previous page, and is also to be signed. When the trusted display 
ss processor 260 receives this multi-page confirmation, it concatenates the signature of the previous signed page with 
the pixmap of the current page, creates a digest of the concatenation, and sends that to the smartcard for signing. This 
is instead of sending a digest of just the current pixmap. This process cryptographicalry •chains' a subsequent page to 
the previous page, so that pages cannot be rearranged without detection, nor can intermediate pages be inserted or 
deleted without detection. ^ . . 
40 [00861 The validity of the first page may be checked in exactly the same way as a single page. The validity of sub- 
sequent pages is checked using the same method as for a single page, except that the digest of the current pixmap 
is replaced by the digest of the concatenated previous signature and current pixmap. 

[0089] It will be appreciated that there -are-many ways of cryptographically chaining a subsequent page to a previous 
page. Such ways will be obvious to those skiled in the art of security in the light of the present description. 
45 [0090] For added security, the image of each page of a multhpage document may be arranged to include the con- 
ventional footer 'Page x of y. where V is the number of the page and y is the total number of pages. This enables 
ready detection by a person of a truncated document simply by reading me ottaiment. 

[0091] A significant benefit of the present document signing scheme is that a signed document can be re-signed and 
countersigned. As such, it is preferable for the summary of a document to include an audit trail. There are many vari- 

so ations on re-signing and countersigning, although (obviously) an electronic integrity check should always be done 
before any further signing. At one extreme, the new signer could view, confirm and re-sign each signed image in turn, 
effectively replacing the original signature by a new one. This method could be used, for example, by a user eignmg 
a document prepared for him by someone else. At the other extreme, the new signer could simply 'rubber stamp' the 
original signature by signing the original summary, without necessarily viewing the document at aJL This could be useful 

ss to a manager countersigning Ihe work of a trusted employee. 

[0092] For a re-signing operation, the application process 500 issues a re-signing request, and transmits an already 
signed document (plus the individual signature(s) and the summary) to the trusted display processor 260. The trusted 
display processor 260 verifies the signed document using the public key of the signer, recovers the pixmap of the 
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has been signed by the smattcard belonging to the new user g ^,^5^ request and 

Ugnaun hiaay d M document » be Hand. The sun. J"!"™^'"*? a ^ mmt me eud« weimWoi. Is 

signed by ale Mueted owcoy proceeew 260, hum 5^*~!'|''TTr'^L siaMureon thai eymmaly Wbwnelicn, 

heen created from scratch, the identity label bp of the trusted 
by the previous signer), "'he sjgn ^ De " eferabty also includes an indication of which 

display processor 260 is rnserted a ^^ v 27TuIe^Z^Lr the document was created from scratch, 
dividual images v«rev^ 

or resigned, or vrascounters.gned by the new use^ 

is eent a digos, of the aud« ^^^^ ^^^^ ^^p^ is as previ^V described, 
a digest of just the previously described contented ^"^^^^^^^^.^Xru^d 

Kyp^^^ 

ated with storing and sending the individual. "^^on elf|orithrn8 . (or exampte 8 codeword-based algo- 
[00971 The P «map may be ^P' e ^ * ™S TZZ^sS^B (optical character recognitcn) may 
rithm applying L2-1 or LZ-2 compression. A "«^J^ h "^ *™^ ven tiona OCR in that the hput data has 
be used to compress the pixmap. In th.s case, the srtuatan ottenr JJJJJJJ OCR<ornpfe8se d version of the 

been perfectly '™™*^l^*^eTzn ■ P*map of each 

pixmap may be generated by ■btobfliatchmg to create ani al ?™°°L H euch that the message represents the 
Swacter in the alphabet ?<Z*^Z^^ * that 

original pixmap. Th.s means that ^^mapcan been comp « ^ ^ ha toBrt ^ oompWi ^m»*ocl 

alphabet. Since there are, obviously, TO . e ^"° •f™*^ a pure black and white 

[0098] Another way of reducing the size of the '^ p ^ fi B n ^ ^™ ^ iJS or white. Otherwise, the 
Image! requiring on* a single bit - set tozeto or » ^ ^JSiSSi^p to 2+bits. Obviously 
document image is represented as a Wcctour ^^^^^wZ it would not be appropriate 
this technique may be suitable lor simple, black and white texi-oasea 

for colour documents or Wages. _ _ converted back into a text-based document using an OCR-type 

,.,00, To ^ » f^"*^" TT^T^R ^ ™» be .—d .. a 

h«Ke comMed lb a atandaid *e™ew «. *•£ ^?~^ ul ^,^ w . a ^»i Z eWo™»h»b^ 

z:i'rcSrr«^r^ b, -»»^-*- «■.-»- - - 

[0102J The preferred embodiment ^ cr ^^°^,*™ TzT mefnon/ 315 beyond the point where the video 

data cannot be modified unless the trusted display processor 260 ^ 
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f0103I It will be aopraciated that not all computer architectures are arranged in this way. For example some computer 

Sctu^ 
a^essspa*^ 

s Z^Tl^^ZS^pl^^ in^h a SAS system cannot re* on .he premise mat the 
hS meCy is S ZEZ s^ing. since the CPU can still access the memory However, there are many way, 
Jf* T^sir^sleTmaybe modified to support hiplementattons of the present invention. For example, the 
meSo^uW bel S 2h line f romTtrusted display processor such that, during a signing cperaUoa 

memory could be P*™""^"^ led bvdata , rom me C PU. The memory devices themselves are preferably 

^c«££ta nomScontrolpath of the memory. Such systems, therefore, on the meddled 

plission of the trusted display processor. Clear*, this premise is as vaWfor secure operate as the first 

£££ £rd™ Sr^mitlng the graphic performance ^^^^^^^ 
Ousted display processor" as such. However, It will be apparent to the skilled person hatlhe 
, 0 I Srirusled dfeolav processor, that ol protecting Ihe frame buffer memory and rteractmg w.lh a sntarteard. can be 
^^^J^!^ trusted component, which controls ^display system (in whatever form) dunng 

m5t Inotheremfcxiimentsof^ 

SSm Serface for driving a trusted display. The trusted disptey 
,s the samo way that the trusted switch provides a trusted moans for a user to nteract wtfh trusted d »^«""«" 
2 ZL dlplay can provide a trusted means .or leering bacK ^^^^J^^o^^ 
VDU. For example, the trusted display might be used to provrie user sU us messa f"^*^^^^ 
to a signing operation. As such, applications running on the standard host computer should not be able toac«*sthe 
T£S<£S?bZ^ the disptay is connected either directly to the trusted display processor or v« scrneformof 
us SSne, in^sencl such a trusted display is an addition to the settled trusted Interface' desenbed above. 
pSca Z e is " re^n why other forms of trusted feedback device, o. which the trusted <> W - » —"P* 
3d not be inciuded in addition, or as an alternative. For example, there may be scenanos where some form of trusted 
sound device would be useful for providing audtole feedback. 

Claims 

1. Adataprocessingsystemarran^ 

ing system comprising; 

main memory means for storing a document to be digitally signed; 

signals for dispteying the oteument; . . 

means for generating a request signal tor the document to be signed; 
4S a display system comprising: 

rZsTr^e^g digita. mage data representative of the documen. on the basis of the graphics 
signals and storing the digittl image data in the frame buffer memory; and _ 
mTans for readme digital 'mage data from me frame buffer memory. ^ rt ^ ^.^^^ 
suitable for displaying an actual image thereof on a display means and forwardtng said signals toa display 

means; and 

atrustedcomponent comprising independent processing rr»am operable, in resrxx.se to receipts* 
ss signal, for generating a digital signature representative of the digital image data. 

2. A data processing system according to claim 1 . wherein the trusted component comprises means for denying to 
JnyTna^ 
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the digital image data of the document, and means for generating a digital signature representative of the digital 
image data while the respective portion of the frame buffer menrwry is rKrt accessible 1<x writing date , 

3 A data processing system according to claim 1 or claim 2. further comprising a removable token comprising 
s processing means for receiving the digital image data, or a representation thereof, and generating a respective 

digital signature. 

' ■ 

4. A data processing system according to any one of the preceding claims, wherein the trusted ccrnoonent further 
comprises means for acquiring and/or generating trusted image data and means for controlling the display system 

io to highlight the displayed document image using the trusted 

5. A data processing system according to claim 4, wherein the trusted image data comprises pixmap data represent- 
ative of the trusted image or instructions for forming the trusted image. 

is 6. A data processing system according to claim 4 or claim 5, wherein the trusted component controls the display 
system to highlight the displayed document image by producing one or more of the following visual effects: 

a border, or an indicator or indicators defining a border, characterised by the trusted image and positioned at 
least partly around trie document image; 
2Q a background pattern characterised by the trusted image forming at least part of the background of the doc- 

ument image; 

an image characterised by the trusted image formed within the document image; anoVor 

a text message characterised by the trusted image formed within or near the document image. 

2S 7. a data processing system according to any one of claims 4 to 6. whoroin the trusted component comprises moans 
for acquiring and/or generating trusted image data from a removable token. 

a A data processing system according to any one of the preceding claims, wherein the trusted component further 
comprises means for controlling the display system to display rnessages to a user. 

30 

9. A data processing system according to claim 8. further comprising trusted input means by which a user can respond 
to messages in a secure fashion. 

10. A data processing system according to claim 9, wherein the trusted input means comprises a switch connected 
55 to the trusted component via a secure communications channel. 

11. A data processing system according to claim 3 or claim 7, wherein the trusted component and the secure token 
enact a mutual authentication process in advance of further interactions. 

4c 12. A data processing system according to any one of the preceding claims, wherein the trusted component forms an 
integral part of the display system. 

13. A data processing system according to claim 12. wherein the display system is arranged such that the trusted 
component is physically and functionally positioned between the main processing means and the frame buffer 

45 memory, such that the main processing means can only access the frame buffer memory indirectly through func- 

tions of the trusted component. 

14. A data processing system according to any one of the preceding claims, further comprising means for generating 
data summarising a digital signature operation. 



so 



15. A method for digitally signing a document, comprising the steps: 



generating digital image data of the document and updating the digital image data in a frame buffer memory; 
reading the digital image data from the frame butler memory, converting the digital image data into signals 
ss suitable for driving a visual display means and transmitting the signals to a visual display means for displaying 

an image of the document; and 

on demand, reading the digital image data from the frame buffer memory and generating a digital signature 
representative thereof. 
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1 6. A method according to claim 1 5, further comprising the step of temporarily denying write access to the frame buffer 
memory by unauthorised processes while generating the digital signature. 

17. A method according to claim 14 or claim 15. further comprising the step of acquiring and/or generating trusted 
image data and using the trusted image data to highlight the (tocument image. 

1a A method according to claim 17, wherein step of highlighting the document image is achieved by generating any 
one or more of the following visual effects: 

a border, or an indicator or indicators defining a border, characterised by the trusted image and positioned at 
least partly around the document image; , 
a background pattern characterised by the trusted image forming at least part of the background of the doc- 
ument image; . 
an image characterised by the trusted image formed within the document image; anoYor 
is a text message characterised by the trusted image formed within or near the document image. 

19. A method according to claim 17 or claim 18, wherein the trusted image data is acquired from a removable token. 

20. A data processing system arranged to digitally sign a document In accordance with any one of claims 15 to 19. 
20 

21 . A method for digitally signing a document comprising a plurality of indrvibual viewable pages, comprising the steps: 

a) generating digital image data of the first page of the document and updating the digital image data in a 
frame buffer memory; .. 
as b) reading the digital image data from the frame buffer memory, converting the digital imago data nto signals 

suitable for driving a visual display means and transmitting the signals to a visual display means for displaying 
an image of the document; 

c) reading the digital image data from the frame buffer rnem>ry, generating a digital signatiire represe^tauve 
thereof and storing the digital signature; 
30 iv) repeating steps a) toe) for the other page(s) of the document; and 

v) generating a further digital signature representative of all previous digital signatures. 

22. A method for a second user to digitally counter-sign a document that has already been signed by a first user, the 
document being accompanied by a respective first digital signature generated by using a secret of the first usei; 

os comprising the steps: 

generating digital image data of the document and updating the digital image data in a frame buffer memory; 
reading the digital image data from the frame butler memory, converting the digital image data into signals 
suitable for driving a visual display means and transmitting the signals to a visual display means for displaying 
40 an image of the document; 

verifying the integrity of the first digital signature; and ' _ ^ tKA fiwt 

on the basis of a secret of the second user, generating a digital signature representative of the first digital 

signature. 

«5 23. A method for a second user to digitally re-signing a document that has already been signed by a first user, the 
document being accompanied by a respective first digital signature generated by using a secret of the first user; 
comprising the steps: 

generating digital image data of the document and updating the digital image data in a frame buffer memory; 
so reading the digital image data from the frame buffer memory, converting the digital image data into signals 

suitable for driving a visual display means and transmitting the signals to a visual display means for displaying 
an image of the document; 

verifying the integrity of the first digital signature; and ^ 
reading the digital image data from the frame buffer memory and, on the basis of a secret of the second user, 
ss generating a digital signature representative of the first digital signature. 

i 

24. A data processing system arranged to generate a digital signature representative of a document, the data process- 
ing system comprising; 
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main processing means for generating graphics signals for display^ a document; 
a display system comprising: • 

'ZstrS digHa. W date representee o« the document on the basis of the graphics 

cinnaic; and storino the diaital image data in the frame buffer memory; ana .... 
„Ss ^ZCd^l ima£ data from the frame buffer memory, converting *e data into s^ate 

means; and 

means for generating a digital signature representative d the digital ^ 
25. A system for digitally signing a document comprising 

Sn^ 
memory; 
means 1 



.tor reading the image data from the frame buffer memory and displaying a respective image on a 

26. A trusted cc<nponent for use in a data processing system according to any one of claims 1 to 14. 

27. A trusted component according to claim 26, fabricated to be tamper resistant 
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